A group of security researchers have found a couple of
simple ways oftaking complete control of the Apple
iPhone. The results are the first real success
that security researchers have had in trying to find ways to
exploit the new device, which lacks many of the common user
interfaces and inputs that hackers rely on for successful
attacks.
 | | | | | The impressive thing is that
these guys did this with the iPhone essentially as a black
box.
Avi Rubin,
founderIndependent Security
Evaluators |
| | | | | |
| |
|
The first attack scenario is a straightforward one in which the
attacker sends an
Apple iPhone user an email containing a link to a malicious Web
site. Once the user clicks on the link, the attacker's Web server
exploits a flaw in the
Safari browser that runs on the phone and takes control of the
device. At that point, it's pretty much game over.
The trio of experts at Independent Security Evaluators, who did
the research, were able to perform any function they wanted on the
iPhone, including sending text messages, collecting the user's call
history and contact information and voice mail data.
"After examination of the file system, it is clear that other
personal data such as passwords, emails and browsing history could
be obtained from the device. We only retrieved some of the personal
data, but could just as easily have retrieved any information off
the device," the researchers wrote in their paper.
In assessing the iPhone's security, the ISE team concluded that
Apple focused all of its resources on preventing third-party
applications from running on the device, even going so far as
restricting the use of common plug-ins such as Flash. "However,
there are serious problems with the design and implementation of
security on the iPhone," they wrote.
The researchers, Charlie Miller, Joshua Mason and Jake Honoroff,
also used a second HTML-based exploit to force the iPhone to
perform some trivial functions, such as buzzing and vibrating.
However, they said the same attack could be used to exploit
additional APIs in the phone to make calls, send text messages or
record conversations and send them to a third party. Miller, along
with some other ISE researchers, will be discussing their findings
at the Black Hat USA conference in Las Vegas next week.
It took the team just a week of work to produce the attacks, and
they also were able to write a patch that fixes the Safari
vulnerability. ISE contacted Apple, of Cupertino, Calif., and gave
the company the details of the flaws and the attacks, as well as
the patch code. Apple personnel responded by saying they would look
into the issue, said Avi Rubin, a professor of computer science at
Johns Hopkins University, and the founder of ISE.
"Once we got the exploit working, the hard part was getting the
shellcode located correctly," Rubin said. "The impressive thing is
that these guys did this with the iPhone essentially as a black
box. They didn't have a debugger or access to the file system, so
once they were able to cause the crash in Safari, they had all of
this binary data they had to read manually. They had to read it on
a PC and it was just a matter of a couple of days to get it all
working."
In their paper, the ISE researchers suggest a number of ways in
which Apple could improve the iPhone's security. For example, they
recommend not giving every application on the device administrative
rights, which is the case now. They also suggest that Apple add
heap and stack address randomization to make exploit development
more difficult.
"While Apple takes some precautions to minimize the amount of
code accessible to remote attackers, it did not take other basic
precautions in designing a robust security solution for the
device," they say in the conclusion to their paper.